Meraki

RichardChen1 · ‎Aug 13 2019

We have 2 internet uplinks on WAN 1 and WAN2.

On the dashboard the only option for PBR is based on source/dest ip and ports.

Does MX support PBR based on applications?

I do find application routing in VPN SD-WAN policy but not on internet traffic.

We have customer requesting this feature for SaaS traffic, for example: O365 app use WAN 1 and Webex app use WAN1 on a single site dual internet scenario.

hoempf · ‎Aug 13 2019

While you can't specify traffic by application name you *could* do it on an IP address basis:

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network#targetText=1...)

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

But this results in a very static configuration and if SaaS providers change or add IP address ranges you have to update this list.

Anyway I wanted to answer it because in my experience such IP addresses (or ranges) don't really change that much.

Microsoft even has a service where you could query their O365 ranges by API, but I haven't found a way yet to update this configuration option in Dashboard API 😉

View solution in original post

jdsilva · ‎Aug 13 2019

Nope, this is not available for Internet traffic. As you said, it's src/dst ports/IPs only.

http://blog.brokennetwork.ca |

@jdsilva

hoempf · ‎Aug 13 2019

While you can't specify traffic by application name you *could* do it on an IP address basis:

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network#targetText=1...)

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

But this results in a very static configuration and if SaaS providers change or add IP address ranges you have to update this list.

Anyway I wanted to answer it because in my experience such IP addresses (or ranges) don't really change that much.

Microsoft even has a service where you could query their O365 ranges by API, but I haven't found a way yet to update this configuration option in Dashboard API 😉

cyr0nk0r · ‎Apr 21 2020

This isn't 'solved'.

Is this supported yet? I can find requests for these features all the way back to 2017 on these forums.

Happiman · ‎Aug 13 2019

I was trying to do the same thing with the entire subnets for O365 w/o success. It's just too much.

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network

Maybe Webex is not that bad..

64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range)
66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range)
66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range)
170.133.128.0/18 (CIDR) or 170.133.128.0 - 170.133.191.255 (net range)
173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range)
173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range)
207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range)
209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range)
216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range)
114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range)
210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range)
69.26.176.0/20 (CIDR) or 69.26.176.0 - 69.26.191.255 (net range)
62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range)
69.26.160.0/20 (CIDR) or 69.26.160.0 - 69.26.175.255 (net range)

RichardChen1 · ‎Aug 13 2019

Thanks guys. I had a similar request before on the "not app aware" checkpoint firewall that requires rules to control O365 traffic. Did not work it out.

I wonder why Meraki is able to offer this feature in vpn traffic but not on internet traffic.

Meraki

Community

MX policy based routing based on application - possible?

MX policy based routing based on application - possible?